Information will be protected according to the standard – Newspaper Kommersant No. 217 (7418) dated 11/23/2022

Government agencies, state corporations, banks, mobile operators and other companies with critical information infrastructure (CII) may be required to analyze the cybersecurity of their networks. The methodology is being developed by the Federal Service for Technical Export Control (FSTEC). Companies will be judged on the level of data protection, speed of response to incidents and awareness of employees about cyber risks. The initiative is unlikely to increase security, experts believe, but it will help plan purchases, and suppliers to set prices.

FSTEC has developed a new methodology for assessing the degree of information security in Russian organizations, Vitaly Lyutikov, deputy director of the service, said at the November 15 SOC forum. As the FSTEC explained to Kommersant, the methodology is intended for government agencies and organizations with state participation, as well as CII facilities (banks, telecom operators, organizations of the fuel and energy complex, and so on). At the initial stage, it will be advisory in nature, the mandatory implementation will be assessed after testing, the service specified. “The goal is the formation of unified approaches to assessing the security of information in organizations,” say the FSTEC.

The agency proposes to distinguish four levels of security, follows from the presentation of the FSTEC, which Kommersant got acquainted with, – high, basic increased, basic and low. The result will consist of three main indicators: organization and management of information security, implementation of security measures, support of its level (for example, monitoring and response of the company to an incident, vulnerability management). The training of staff and their awareness of cybersecurity issues will also be taken into account.

The new FSTEC methodology is similar to the assessment of the “digital maturity” of organizations, which the office of Deputy Prime Minister Dmitry Chernyshenko applied to the federal executive authorities (FOIV) as part of digital transformation (one of the national goals of Russia’s development until 2030), explains the interlocutor of “Kommersant” in government. It includes an assessment of the introduction of artificial intelligence technologies, big data processing and the Internet of things by federal executive authorities, as well as the use of Russian radio-electronic products: data storage systems and servers (see Kommersant of November 12). According to the interlocutor of Kommersant, the methodology is necessary for the authorities, since “now it is very difficult to collect a picture of cybersecurity in CII.”

In general, CII subjects positively evaluate the FSEK initiative. “A transparent methodology for categorizing and assessing the level of security, as well as clear recommendations for eliminating the shortcomings identified during inspections, will allow CII subjects to have a uniform and adequate approach to organizing cybersecurity,” said Alexei Pleshkov, Deputy Head of the Information Security Department at Gazprombank. Tele2 promises to apply the methodology if it is approved: “It is still difficult to assess its quality, but the general approach – the listed factors and the structure of the integral assessment – seems to be correct.” MegaFon noted that in order to evaluate the initiative, “it is necessary to study it in more detail.”

The approach developed by FSTEC should become a reference for both customers and developers, Roman Mylitsyn, head of research at Astra Group, believes. In his opinion, the methodology will be refined and tested on real problems. By itself, the technique will not increase the security of the organization, but it may be important for planning the work of information protection units or external contractors, Vladimir Ulyanov, head of the analytical center at Zecurion, believes. The introduction of the methodology will not increase the volume of customer requests to companies in the field of information security, according to Rustem Khairetdinov, an independent information security expert, but it will structure and give them a rationale. Kommersant’s interlocutor in the information security market also admits that security solution providers will be able to use the methodology to set prices for their products.

Tatiana Isakova, Yulia Poslavskaya